Revoking Access Tokens
The Nylas <ACCESS_TOKEN>
never expires. If you want to stop using it, you'll have to revoke it. If you ever need to re-authenticate an account, you can have more than one access token for an account.
Even though a Nylas access token never expires, it's possible for them to become invalidated or de-authenticated.
Revoking Tokens
Since Nylas access tokens never expire, we recommend revoking former Nylas access tokens when you re-authenticate accounts. You can use the Account Management /revoke-all endpoint with the keep_access_token
body parameter to ensure former access tokens are revoked. An example workflow is described below:
- Authenticate a Google account and get the initial
<ACCESS_TOKEN>
. - The user changes their password and the account becomes invalidated. However, the initial Nylas
<ACCESS_TOKEN>
is still active. - Re-authenticate the Google account and receive a new
<ACCESS_TOKEN>
for the account. - Call the
/revoke-all
endpoint withkeep_access_token=<ACCESS_TOKEN>
using the new access token from Step 3.
Gmail Limitations
If you use the /revoke-all endpoint, and don't use the keep_access_token
to keep at least one access token, the Gmail refresh_token
is also revoked.